Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/index.html?contextId=RED15w

RED 15w requirements

The traffic is handled according to the mode and wireless traffic type. Before you set up a RED 15w (wireless), you must meet the preconditions for the mode.

Standard/unified and standard/split

In standard/unified mode, all traffic from the RED is sent to the firewall.

In standard/split mode, all traffic from the split networks is sent to the firewall. All other traffic is sent to the default gateway specified by the remote DHCP server. This is usually the router to which the RED is connected at the remote site.

The following preconditions must be met for wireless:

  • A RED interface must be available and must have an IP address.
  • A DHCP server must be running on the RED interface.
  • DNS must be resolvable on the RED interface.
Separate zone

All traffic from a separate zone network is sent to Sophos Firewall using the Virtual Extensible LAN (VXLAN) protocol. The packets will be encrypted while crossing the RED tunnel. The separate zone networks are connected to each other in Sophos Firewall. You must configure Sophos Firewall to allow traffic for the AWE (Astaro Wireless Extension) client and VXLAN (RFC 7348) for the RED interface.

AWE client is a client daemon, which runs on access points and REDs with wireless support. It registers access points on Sophos Firewall.

Bridge to AP LAN

The RED will bridge the SSID in the LAN network behind the RED. This includes LAN ports 1–4. Clients connected to this SSID are able to reach the RED tunnel endpoint interface on the firewall site if the firewall allows traffic from the RED network to the RED interface.

Bridge to VLAN (Standard/Unified)

The RED will tag all traffic from clients that are connected to this SSID using the configured VLAN tag. Clients are able to reach all network devices with the same VLAN tag that are connected to LAN ports 1–4 as well as a VLAN tagged interface on top of the tunnel endpoint interface on the firewall site.

Bridge to VLAN (Standard/Split)

The clients are able to reach all hosts behind the RED that own the same VLAN tag. Also, the tunnel endpoint is reachable if a VLAN interface is configured on top of the RED interface on the firewall site. The split networks cannot be reached as these are routed for untagged packets only.

Transparent/Split

In this mode, only split networks are reachable through the firewall. All other networks are routed through the router at the remote site. The remote network also provides DHCP and DNS. In this case, the RED interface must obtain an IP address through the remote DHCP server.

  • A RED interface must be available and must have an IP address.
  • DNS must be resolvable on the RED interface.
  • The remote DHCP server must provide DHCP option 234, which contains the IP address of the RED interface on the firewall site. (Otherwise, 1.2.3.4 is used.)
Separate zone

Same behavior as for Standard/Unified and Standard/Split.

Bridge to AP LAN

Same behavior as for Standard/Unified and Standard/Split.

Bridge to VLAN

The clients are able to reach all hosts behind the RED that own the same VLAN tag on LAN ports 1–4 as well as on the WAN port. The split networks cannot be reached as these are routed for untagged packets only.